chicco785
commented
4 years ago step 0 secret, then if resource allows i would investigate citadel
Open c0c0n3 opened 4 years ago
chicco785
commented
4 years ago step 0 secret, then if resource allows i would investigate citadel
gboege
commented
4 years ago I would go for the more docker/k8s solution. To make it easier to understand in the first run. If we face performance issues, we should have it in mind.
c0c0n3
commented
4 years ago If my memory serves me well, K8s secret volumes get mounted on a tmpfs which is normally RAM- backed. So key look up should be darn fast...well, at least that's the theory, time will tell :-)
At the moment both pub and private keys sit in the adapter config. While it's okay for the pub key to be there, we should find a better home for the private key---think raising the bar for security. Figure out if Istio Citadel could help here or should we rather use K8s secrets/tmpfs volumes? Any other options?
The advantage of adapter config storage is access speed and caching. We should consider these two factors too when scratching around for a solution.